Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Comcast's Xfinity Home Security Flaw Leaves Doors Open (rapid7.com) 119

itwbennett writes: Researchers at Rapid7 have disclosed vulnerabilities in Comcast's Xfinity Home Security offerings that prevent the system from alerting homeowners to unsecured doors or windows and would also fail to sense an intruder's motion in the home. The root cause of the problem can be found in the ZigBee-based protocol used by Comcast's system to operate over the 2.4 GHz frequency band. Rapid7's Phil Bosco discovered that the Xfinity Home Security system does not fail closed with an assumption of an attack if radio communications are disrupted. Instead, the system fails open, reporting that all sensors are intact, doors are closed, and no motion is detected.
This discussion has been archived. No new comments can be posted.

Comcast's Xfinity Home Security Flaw Leaves Doors Open

Comments Filter:
  • This is what happens when a company strays too far out of its core (in)competency.
    • I don't know, as a former Comcast customer they seem to have about the same competency in home security as providing cable TV service.

      • As an (unfortunately) current Comcast customer (who will jump ship the nanosecond Google Fiber becomes available), Comcast has always been technically competent in my experience. The problem is that they're evil!

        • Of course they are technically competent, they have to be to ensure that they minimize service and maximize ripping off their customers.

    • by mysidia ( 191772 )

      I think those types of vulnerabilities like the one mentioned above are by no means specific to Comcast.

      Also, by and large, "experts" and manufacturers in the physical security industry are clueless in regards to IT security, Information security, and Systems security.

      Home security companies' core competence is in providing systems to mitigate physical security issues, but they are largely ignorant to specialized attacks and weaknesses in the systems themselves that they provide for the purpose of impr

  • I have done some development (albeit limited) using a Zigbee stack, and this failure has nothing to do with the Zigbee protocol, per se. That "explanation" sounds like some of the project-engineers trying to pull the wool over the eyes of Comcast's management (and Customers).
    • It's something that's basically guaranteed to happen: when you hear the words "Comcast Software" you don't think "oh, that's really going to be secure" because they are a company that focuses on cutting costs primarily.

      If you want secure software, you need to start from the bottom up: even the most junior programmers need to be thinking about security, every time they write a line of code. Security isn't something that can be bolted on after the fact.

      If you think of Comcast's management style, you can
    • Yeah, it's not a Zigbee issue. It's an issue with using a wireless signal on an overcrowded and highly competitive spectrum to perform a mission critical communication task.

      To make a car analogy, it's like blaming ford for making a shitty car because you tried to put 8 tons of bricks in your focus and the suspension failed.
    • by Shoten ( 260439 )

      I have done some development (albeit limited) using a Zigbee stack, and this failure has nothing to do with the Zigbee protocol, per se. That "explanation" sounds like some of the project-engineers trying to pull the wool over the eyes of Comcast's management (and Customers).

      It has a little to do with ZigBee, since ZigBee as a standard uses 2.4 GHz. Beyond the part of spectrum that ZigBee uses, there's nothing else about the protocol that is a problem here...but there's no such thing as a ZigBee implementation that exists outside the 2.4 GHz public spectrum band.

      On the other hand, the issue here is an interesting one. ZigBee's actually a pretty secure protocol for communications, with regard to integrity and confidentiality. But for applications that depend upon availability,

      • It's mostly to do with the low battery utilization of zigbee sensors. From what I can tell of the ones I have in my house, they basically use a reed relay to trip an interrupt on the microcontroller that causes it to transit that the sensor state has changed. In sleep mode then seem to run about a year on a coincell so it's obviously not in regular radio communication with the base station.

        Obviously the sensors could wait for acknowledgement of their state change and otherwise continue sending it until they

        • by AmiMoJo ( 196126 )

          A year on a coin cell would give you enough energy to send a ping say once a minute. I do this stuff for a living, it's surprising how little energy you need.

          Sending a ping now and then is essential, because otherwise the battery could die or the sensor fail and you wouldn't even know.

          • A year on a coin cell would give you enough energy to send a ping say once a minute.

            Depends on the transmission power requirements. Doubling the distance between transmitter and receiver generally means quadrupling the power output; noise of any sort (refrigerator motor, microwave, baby-monitor) causes retransmits, temperature deviations might affect battery performance, false-positives occur more often than expected, etc. In general take your best estimate of battery-life under perfect conditions, then halve it.

          • Can you recommend a zigbee sensor that can do that? I'd love one, and like you agree that it's probably possible on paper but in reality i've tried a few and haven't found anything that can deliver that from a coin cell.

      • On the other hand, the issue here is an interesting one. ZigBee's actually a pretty secure protocol for communications, with regard to integrity and confidentiality. But for applications that depend upon availability, it's something that you could jam with a baby monitor, a wifi AP or a cordless phone. I wouldn't expect Comcast to come up with a home-grown solution that was nearly half as secure as ZigBee, and I also can't imagine that it could be worth it to license a piece of spectrum just for their solution; it would cost too damn much. So where does that leave all of us when it comes to this kind of use case?

        I dunno; especially considering the limited frequency-bands available with no licensing requirement. It sounds a bit ignorant, but considering we're talking about an indoor application, it almost seems like a "ZigBee-esque" mesh-network of infrared transceivers would be better for this, and no steenking FCC to worry about.

        Then, the only thing you have to worry about is sunlight bringing down your network...

        This is one of the reasons why it is a shame that the Echelon LONTalk [wikipedia.org] protocol didn't really catch

    • Ture, but the Zigbee protocol is pretty ugly in a lot of places (SEP 2.0 that is). Low speed link yet binary data is transmitted using XML? Ludicrous.

      • Ture, but the Zigbee protocol is pretty ugly in a lot of places (SEP 2.0 that is). Low speed link yet binary data is transmitted using XML? Ludicrous.

        I agree. I think that a fair amount of things about ZigBee are somewhat under-planned; but this stuff still isn't ZigBee's fault. Other than the fact that they picked a VERY crowded RF band upon which to hitch their entire concept.

  • i thought their only purpose was so that your home insurance company will cover your home
    • i thought their only purpose was so that your home insurance company will cover your home

      Ironically, you just answered your own question as to the people that would give a shit about the actual functionality.

  • by mindwhip ( 894744 ) on Tuesday January 05, 2016 @12:40PM (#51242311)

    This is why wireless is such a bad idea in many situations... wired allows for so much more tamper proofing and overall security.

    • How so? It's all in the design of the system. The way around this would be an authenticated "heart-beat" type setup wherein I tell you that I'm OK until I don't tell you I'm OK. In that case it becomes the monitoring center's responsibility to dial the police. Instead from what I've surmised the system is designed so that it's mostly a "I'm OK unless I say otherwise", which is poor design. The medium of communication has nothing to do with it.
      • by tlhIngan ( 30335 )

        How so? It's all in the design of the system. The way around this would be an authenticated "heart-beat" type setup wherein I tell you that I'm OK until I don't tell you I'm OK. In that case it becomes the monitoring center's responsibility to dial the police. Instead from what I've surmised the system is designed so that it's mostly a "I'm OK unless I say otherwise", which is poor design. The medium of communication has nothing to do with it.

        Indeed.

        In fact, the wireless sensors I've seen (900MHz based ones

    • by antdude ( 79039 )

      It's not hard to cut the lines. ;)

      Wireless (e.g., cellular) is harder though.

  • Why would you trust your fscking cable company to be your security alarm? What makes you think they have any expertise in this field?

    I find this stuff to be mostly self-inflicted stupidity on behalf of consumers.

    Every week we see yet another story indicating that consumer electronics have absolute garbage security, and are rushed out the door by people do don't give a crap about your security.

    All this smart home crap, and all of this home monitoring crap pushed by your cable company? It's stuff being rush

    • All the development methodologies of the last few decades have been primarily focused on how to get software out the door quicker: Agile, RAD, Extreme Programming, etc are focused on faster (of course, there are exceptions: NASA for example always tries to make things more reliable, other researchers have looked at that too, but the mainline software industry has mostly ignored reliability).

      The reality is, if you want secure software, every programmer needs to be thinking about security. It's not somethin
      • Well, I will say the general issue here is people are willing to accept shit security for a shiny bauble. And that's their own damned problem.

        Until companies bear real legal liability for being incompetent at implementing security, I am going to assume that every new product which wants to connect to the internet is a steaming pile of shit I have no interest in.

        If you can open your door from your cell phone, someone else can too. And there's a very good chance it's so damned trivial to bypass that it woul

        • I just read this story [wsj.com] which suggests that consumers are starting to avoid IoT stuff because of security concerns. So that might cheer you up (a bit) on a rainy, dreary morning.
        • What everyone else does ... not my damned problem.

          I was with you up to this point. While I wish I could ignore all the shitty decisions other people make, it still affects me because the good choices I want to make become more difficult or impossible. For example, it's probably no longer possible to buy a new car that doesn't spy on you [businessinsider.com]. Even if I keep driving antique cars myself, sooner or later that fact would make me stand out enough that I become trackable anyway.

  • You need to look at the rate of false positives vs. false negatives. If they took the fail-alert approach, for every true security breach, Comcast would be responding to thousands of "my microwave interrupts my WiFi when it runs" etc. This would further impact response times to true security breaches due to cry wolf issues. So is it secure? Yeah not really. Is this the correct business choice for Comcast? Probably.
    • You need to look at the rate of false positives vs. false negatives. If they took the fail-alert approach, for every true security breach, Comcast would be responding to thousands of "my microwave interrupts my WiFi when it runs" etc. This would further impact response times to true security breaches due to cry wolf issues. So is it secure? Yeah not really. Is this the correct business choice for Comcast? Probably.

      If they would just develop an equivalent system that used the 5.4 GHz band, they could get away from the insane 2.4 GHz pollution issues, and thus increase the reliability (and thus trustworthiness) of their RF-link several-fold. THEN they could develop their "intrusion rules" around something that was nearly as foolproof as a hard-wired connection. Note that I said "nearly"...

    • So why not do what competent alarm companies do an create a third state called "fault" which indicates that there is a problem but not necessarily a break in? This is just a side effect of Comcast not being a security company but trying to be all things to all people and doing none of it well.
    • Is this the correct business choice for Comcast? Probably.

      Not any more so than replacing the doors of their corporate offices with bead curtains and rice paper.

      If a flaw this basic is inherent in a wireless approach, then the right business choice is you don't use the wireless approach.

    • So is it secure? Yeah not really. Is this the correct business choice for Comcast? Probably.

      It's only the correct business choice because companies are no longer held accountable for products that are blatantly not fit for purpose, but fraudulently marketed as such.

  • We've had them for years for cable, phone & internet. Then we dropped our land line, and they actually wanted to increase our phone bill when we wanted the service stopped! They said we paid less for all 3 services because of the "triple play discount", so it cost more for cable & internet than it cost for cable, internet & telephone. It wasn't until I threatened to leave that they took that off of our service and dropped our bill by $10. Then, to save more money, we got rid of our extra cabl
  • by wonkey_monkey ( 2592601 ) on Tuesday January 05, 2016 @01:12PM (#51242625) Homepage

    Comcast's Xfinity Home Security Flaw Leaves Doors Open

    No, people leave doors open. Xfinity just sucks at warning you about it.

  • by Anonymous Coward

    Everyone seems to be jumping on the bash comcast band wagon here but did comcast really cause this kind of problem? The article didn't mention but the sensor check-in message will get missed by the control panel (think heartbeat) and report comm fail. So why would a wireless sensor communication failure triggering a false alarm be a GOOD thing? If you consider the fees some local governments charge for false alarms, the strict federal regulations preventing false alarms, how these systems handle sensor comm

  • I spent some time as an installer for a local security company at one point in time.

    I don't know what Comcast is using, but most security systems (wired or wireless) can be configured to be Normally Open, or Normally Closed. Also, some can be configured to fail open or fail safe.

    This could in part be a configuration issue.

    But I also didnt read the article. Just speculating... haha

  • Because the damn thing would be non stop false alarms if they did. Zigbee is NOT reliable enough for an alarm system.

  • Welcome to the IoaYTGS - Internet of all Your Things Got Stolen.

  • Most of the newer alarm system offerings have switched over to wireless sensors vs the old school method of hard-wiring them.

    ( Hard wire is the way to go, but you really need to do it as the home is being built. Trying to retrofit a wired system after is a major undertaking. )

    I'm curious to know if the other vendors using wireless sensors also suffer from the same vulnerabilities as the Xfinity one does. ( ADT, AT&T Digital Life, etc. )

  • This would be the same Comcast that makes your cableco-provided wireless modem/router combo broadcast a second public wi-fi network by default? Sounds like Comcast will cause open back doors in the both physical and metaphorical sense.

  • That's the company that sends me e-mail notifications for someone's alarm system. The notifications contain the person's first name, street address, a timestamp and what the action was (alarm armed, disarmed, armed stay, alarm, etc.). There only return address is unmonitored and xfinity.com doesn't seem to have any contact information.

    Seems like a legit operation.

  • Loyal, protective dogs, big ones...

    • You can shoot dogs, or poison them, or bribe them with meat.
      No one is going to think your house is being broken into, just because a dog is barking.
      • You can shoot dogs, or poison them, or bribe them with meat. No one is going to think your house is being broken into, just because a dog is barking.

        The smartest AI in the world is still orders of magnitude dumber than an untrained guard dog.

        Sure, you can poison dogs, but only one at a time, thereby making it slower to break in. You can shoot dogs, but that just alerts everyone within earshot. You can try bribing my rottweilers with meat, but I don't think it will be very successful - they've remained quite hostile to strangers after eating the stranger's meat in the past.

        I'm in the crime capital of the world (probably), and the only times I've ever be

      • All that matters is that the person trying to break in hears the dogs. Shooting a dog makes a LOT of noise. You have to get in the house to poison them, and that's assuming the owner or family members aren't there to catch you in the act. Your automated system is not perfect either, NO system is. I find your comments disingenuous at best.

        • I find your comments disingenuous at best.

          I know people who've had their dogs shot, so I apologize for your findings.

  • Reading quickly through this thread, with all the comments about whiners wanting something for nothing, it seems to me that most are missing the real story here. The Binge-on plan is supposed to be about getting certain content without it counting against a data cap, that certain providers have worked out a deal with T-Mobile allowing their streams to be “optimized” in exchange for users getting unlimited access. But it turns out that everyone‘s content is being treated the same: it’

  • It is important to note that Comcast is not the manufacturer of these devices. They are also most likely not creating the software for them either. The alarm system is sold by an OEM that several different alarm companies use, including other cable companies.

    The system also isn't just using ZigBee for communication, it is using the ZigBee Home Automation standard. ZigBee has defined how they want home security and automation products to communicate over their ZigBee radio standard. So this isn't just relate

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...